Nmedia - Fotolia
Researchers from Newcastle University demonstrated a drive-by keylogger exploit known as PINLogger that uses mobile device sensors to guess four-digit PINs, which are then used to unlock devices or as part of two-factor authentication. The attack can be carried out when a user enters a PIN on their smartphone while a malicious webpage is open. How does this exploit work? Are there any browser or device protections that can stop such attacks?
New privacy and security risks require careful evaluation by multidisciplinary experts, end users and enterprises. When these risks involve new technology, fear, uncertainty and doubt frequently dominate the analysis.
For consumers, the risks may be worth it for the new functionality. The potential risks don't stop widespread adoption, nor should they, but people should at least be aware that there are unknown risks attached to new systems.
Side-channel attacks are among the most complex risks to evaluate. Side-channel attacks that exploit power consumption and accelerometer sensors for tracking have gotten some attention, but require the installation of applications on the targeted endpoint. These attacks are growing more sophisticated on mobile devices, as the multitude of sensors, data and access add to the complexity.
New research from Newcastle University demonstrated a drive-by exploit using a side-channel attack known as PINLogger that does not require installing an app on the endpoint, lowering the bar for the attacks. The attack can detect when PINs are being entered on a device, and then steal them.
These web APIs are able to detect privacy-sensitive data, like device location, but more importantly, they can be used to determine when a PIN is being entered on a device. The PINLogger attack uses machine learning and a neural network to analyze sensor data to determine when a PIN is being entered, as well as the actual PIN.
The researchers recommended a number of mitigations for this keylogger attack, including restricting access to sensors or changing the fidelity of the data collected. Other recommendations include the following:
- Do not fire events when the page on which they were registered is not visible or has been backgrounded.
- Fire events only on the top-level browsing context or nested iframes of the same origin.
- Limit the frequency of events -- typically, 60 Hz is sufficient.
Providing an end user with notifications and control over sensors when they are accessed could improve awareness, but users will need usable guidance on what action to take.
Something the researchers didn't suggest is that noise could potentially be added without impacting an individual's actual use of a sensor. Disabling the sensors may not be possible on a device, and it may result in the loss of desired functionality. Using a browser without this functionality for general web browsing may minimize the risk of an attack.
Research like this helps advance awareness of the risks of keylogger attacks and improves users' expectations. The researchers also noted that the risks will only get more complex as new sensors are added, access to sensors is expanded, and new data becomes available from internet of things devices.
Additional research on human factors in information security will help improve the state of information security and help to identify how these risks can be communicated to standard users. Including expectations of information security and privacy in the development of new standards can ensure that the issues are included.
Learn about the security risks of using network sensors in the enterprise
Find out about the top three mobile security threats
Dig Deeper on Mobile security threats and prevention
Related Q&A from Nick Lewis
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Island hopping attacks create enterprise risk by threatening their business affiliates. Here's how to create an incident response plan to mitigate ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading